IB/ipath: ipath_skip_sge() can break if num_sge > 1

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

ipath_skip_sge() doesn't exactly duplicate the side effects of
ipath_copy_sge() if num_sge > 1 since it doesn't decrement ss->num_sge.
This could result in the sg_list being accessed out of bounds.
Since ipath_skip_sge() is almost always called with num_sge == 1,
the original "optimization" is almost never used.

Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

authored by

Ralph Campbell and committed by

Roland Dreier 20 years ago 16c59419 c9f79bdc

-4

1 changed file

expand all

drivers

infiniband

ipath

ipath_verbs.c

-4

drivers/infiniband/hw/ipath/ipath_verbs.c

··· 191 191 { 192 192 struct ipath_sge *sge = &ss->sge; 193 193 194 - while (length > sge->sge_length) { 195 - length -= sge->sge_length; 196 - ss->sge = *ss->sg_list++; 197 - } 198 194 while (length) { 199 195 u32 len = sge->length; 200 196